This article is intended soley for information purposes.
In it, I will discuss the use of an attack known as a “Man In The Middle” (MITM), in order to capture UserID and Passwords that pass through connections.
The misuse of this method, or the information arising from it, may be considered illegal and as such should not be used on any system/network that you do not have permission from its owner.
- Wi-Fi connection (Router needs to be capable of packet injection)
- Cracked Wi-Fi key for victim network.
- Operating system: BactTrack – A linux distro, current version is BT5R2
- Ettercap gtk (GUI version) – Included in BT5R2
In a previous article, Ross explained how one may go about hacking a WPA/WPA-2 Wi-Fi network.
Question is, what can we do once we have achieved this?
This attack, called a Man In The Middle. It is basically a method whereby you are placing your computer between a victim computer and the access point/router.
There are many ways to achieve this positioning, we will be using a method known as ARP poisoning.
1) First off all we need to edit the etter.conf file. This is found by navigating to root folder > etc > etter.conf.
Open this file and scroll down to the Linux section. You will see “# if you use ip tables”. Below this will be two lines of code, each starting with a #.
Note – in code, when you see text starting with the #, this means that the proceeding text will be a “comment”. By simply removing the #, the script will compile and execute this code, providing its valid, of course.
Delete only the # from the beginning of these two lines of code.
Save the file ctrl+S and close it.
Note – if not using BackTrack 5, etter.conf will be located at root folder > usr > local > etc > etter.conf
2) Now, with the Wi-Fi key that you obtained for your victim network, open WICD network manager and go ahead and connect to that network.
3) Once connected, we need to open Ettercap gtk. This is found in the Applications folder in BackTrack > privelege escalation > protocol analysis > network sniffers > ettercap gtk.
4) Now click on the following: Sniff > unified sniffing > network interface(this will be usually wlan0) > ok.
5) Then click on: hosts > scan for hosts.
You will notice than in the dialog box it now says: ” … hosts added to the hosts list..” – This is the amount of systems detected on the victim network, including the router and excluding your system, which will be displayed in the box above.
6) Now click on Mitm > arp poisining > sniff remote connections > ok.
You will see in the dialog box that because we didn’t specify the targets, it will sniff “any hosts in the list”. Perfect.
7) Then click on start > start sniffing.
To see if the ARP posining was successful, click on : plugins > manage plugins. You’ll see the third choice on the list ” chk_poison”, double click on this, and in the dialog box it will either report that it was successful or not.
Now, what we have done is created an action that will lead to fake security certificates being transmitted between the victim computer and the destination website – facebook, gmail etc.
If we didn’t do this, the information that we intercept would be encrypted, and much more difficult to decipher, due to most modern secure websites using a protocol called HTTPS.
Monitoring the dialog box, when the victim tries to log onto a site requiring a user & password, this will appear, in plain text – as well as what website it is for. Success!
Now sometimes, there could be an ARP detection system in place on the router, and as such the ARP poisoning may stop working. No problem, just stop the process, and repeat the steps above.
Learn it, Perfect it, Share it.